Skip to Content.
Sympa Menu

cat-users - Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication


Chronological Thread 
    < Chronological >      < Thread >
  • From: Sebastien Ceuterickx <Sebastien.Ceuterickx AT cern.ch>
  • To: Tomasz Wolniewicz <twoln AT umk.pl>, "cat-users AT geant.net" <cat-users AT geant.net>
  • Cc: Adam Wojciech Sosnowski <adam.sosnowski AT cern.ch>
  • Subject: Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication
  • Date: Wed, 29 Jan 2014 20:33:19 +0000
  • Accept-language: en-GB, en-US
  • List-archive: <http://mail.geant.net/pipermail/cat-users/>
  • List-id: "The mailing list for users of the eduroam Configuration Assistant Tool \(CAT\)" <cat-users.geant.net>

Thanks Tomasz. Actually your are right and your comment is very valuable.

 

We will ask advices to our security experts and come back to you.

 

Best regards,

Sebastien

 

From: Tomasz Wolniewicz [mailto:twoln AT umk.pl]
Sent: 29 January 2014 16:16
To: Sebastien Ceuterickx; cat-users AT geant.net
Cc: Adam Wojciech Sosnowski
Subject: Re: [cat-users] [eduroam CAT] Windows 7 EAP-TLS authentication

 

I am not sure I understand.
You would want the username to be set to anonymous AT cern.ch for all users?

I am not sure how RADIUS servers log things now, but it used to be that they logged by User-Name and to make sure that the User-Name fits the user cert, there was an option to compare the User-Name with one of the cert attributes. If you did not do that, then one user could claim to be another one or you would get all your authentications logged under just one user.

Specifying anonymous AT cern.ch does not provide any additional user privacy, of course, as the user cert is sent unencrypted.
What we do at my university is to provide our staff with pseudoanonymous certificates which only carry an assigned numebr as an ID, and no private data. The CN of the certificate is  xxxx AT certyfikaty.umk.pl where xxxx is this number. Windows will extract this CN by itself and use it as User-Name, therefore our users do not even need to know this number (well at least for Windows). We think that this approach is quite tidy and safe for users, plus gives the extra security that the critical credentials like passwords cannot be compromised.

I need to check if it is possible to tell Windows what the alternative user-name should be, but I rather doubt that it can be done easily.

Tomasz



W dniu 2014-01-29 16:01, Sebastien Ceuterickx pisze:

Dear Tomasz,

 

Thank you very much for your reply. It works better. However, the alternative login name is still not set to “anonymous AT cern.ch”. Is there a possibility to prevent the user to do it manually?

 

Cheers,

Sebastien



-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln
 
Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19.

Top of Page